Combining stateless and stateful server load balancing

ABSTRACT

The processing of data packets sent over a communication session between a host and a server by a service gateway includes processing a data packet using a current hybrid-stateful or hybrid-stateless processing method. The processing then checks whether a hybrid-stateless or hybrid-stateful condition is satisfied. When one of the sets of conditions is satisfied, the process includes changing from a hybrid-stateful to a hybrid-stateless processing method, or vice versa, for a subsequently received data packet. If the conditions are not satisfied, the process continues as originally structured.

CROSS-REFERENCE TO RELATED APPLICATIONS

This application is a continuation of and claims the priority benefit ofU.S. patent application Ser. No. 13/280,336 filed on Oct. 24, 2011, andissued on Nov. 25, 2014 as U.S. Pat. No. 8,897,154, entitled “CombiningStateless and Stateful Server Load Balancing,” the disclosure of whichis incorporated herein by reference.

BACKGROUND OF THE INVENTION

1. Field

This invention relates generally to data communications, and morespecifically, to a service gateway.

2. Related Art

Demand for data communication services for consumer and corporatecomputing devices has been rapidly increasing. Service providers deployservice gateways such as server load balancers or traffic managers tobridge host computers or computing devices with servers providing thedata services.

Service gateways provide services either using a stateful processingmethod or a stateless processing method. Generally, in a statefulprocessing method, packets are processed as a stream of packets, andeach packet in the stream are processed in the same way. In a statelessprocessing method, packets are processed discretely, where each packetis assessed individually. The stateful processing method may bepreferred over the stateless processing method due to the security andcontrol features that may be implemented, however, the resourcerequirements of such features may make the services difficult to scale.The stateless processing method may be preferred over the statefulprocessing method due to its scalability, however, this is at theexpense of security and control.

Traffic managed by service gateways is rarely uniform, as conditions ona network typically fluctuate, at times greatly. Currently, systemadministrators are required to choose either a stateful processingmethod or a stateless processing method for a particular serviceaddress, weighing the costs and benefits of each method. Systemadministrators are not able to realize the advantages of both processingmethods for such non-uniform traffic.

BRIEF SUMMARY OF THE INVENTION

According to one embodiment of the present invention, a method forprocessing data packets sent over a communication session between a hostand a server by a service gateway, comprises: processing a data packetusing a hybrid-stateful processing method by the service gateway;checking by the service gateway whether a hybrid-stateless condition issatisfied; in response to determining that the hybrid-statelesscondition is satisfied, changing to a hybrid-stateless processing methodfor a subsequently received data packet by the service gateway; and inresponse to determining that the hybrid-stateless condition is notsatisfied, processing the subsequently received data packet using thehybrid-stateful processing method by the service gateway.

In another embodiment of the present invention, a method for processingdata packets sent over a communication session between a host and aserver by a service gateway, comprises: processing a data packet using ahybrid-stateless processing method by the service gateway, wherein thehybrid-stateless processing method processes the data packet using astateless processing method unless a service address or a server addressof the data packet matches a session entry in a session table; checkingby the service gateway whether a hybrid-stateful condition is satisfied;in response to determining that the hybrid-stateful condition issatisfied, changing to a hybrid-stateful processing method for asubsequently received data packet by the service gateway, wherein thehybrid-stateful processing method processes the subsequently receiveddata packet using a stateful processing method unless the subsequentlyreceived data packet either does not comprise a service request or thesubsequently received data packet is received from the server; inresponse to determining that the hybrid-stateful condition is notsatisfied, processing the subsequently received data packet using thehybrid-stateless processing method by the service gateway; wherein thehybrid-stateful processing method comprises: receiving the data packetby the service gateway; determining by the service gateway whether thedata packet is received by the service gateway from the host or theserver; in response to determining that the data packet is received fromthe host, determining by the service gateway whether the data packetcomprises a service request; in response to determining that the datapacket comprises the service request, processing the data packet usingthe stateful processing method by the service gateway; in response todetermining that the data packet is received from the host and does notcomprise the service request, processing the data packet using thehybrid-stateless processing method by the service gateway; and inresponse to determining that the data packet is received from theserver, processing the data packet using the hybrid-stateless processingmethod by the service gateway.

In one aspect of the present invention, the hybrid-stateless processingmethod comprises: receiving the subsequently received data packet fromthe host by the service gateway; obtaining the service address from thesubsequently received data packet by the service gateway; comparing theservice address of the subsequently received data packet against serviceaddresses stored in session entries in the session table by the servicegateway; in response to determining that the session table comprises asession entry matching the service address of the subsequently receiveddata packet, processing the subsequently received data packet based oninformation stored in the matching session entry using the statefulprocessing method by the service gateway. In response to determiningthat the session table does not comprise any session entry matching theservice address of the subsequently received data packet: comparing theservice address of the subsequently received data packet against serviceaddresses stored in mapping entries in a mapping table by the servicegateway, finding a mapping entry matching the service address of thesubsequently received data packet by the service gateway, and processingthe subsequently received data packet based on information stored in thematching mapping entry using the stateless processing method by theservice gateway.

System and computer program products corresponding to theabove-summarized methods are also described and claimed herein.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 illustrates a service gateway for processing a communicationsession between a host and a plurality of servers.

FIG. 2 illustrates a stateful processing method.

FIG. 3 illustrates a stateless processing method.

FIG. 4 illustrates an embodiment of a service gateway performing ahybrid-stateless processing method combining a stateful processingmethod and a stateless processing method according to the presentinvention.

FIG. 5 illustrates an embodiment of a service gateway performing ahybrid-stateful processing method combining a stateful processing methodand a stateless processing method according to the present invention.

FIG. 6 illustrates an embodiment of a service gateway changing from ahybrid-stateful processing method to a hybrid-stateless processing inresponse to a hybrid-stateless condition being satisfied according tothe present invention.

FIG. 7 illustrates an embodiment of a service gateway changing from ahybrid-stateless processing method to a hybrid-stateful processingmethod in response to a hybrid-stateful condition being satisfiedaccording to the present invention.

FIG. 8 is a flowchart illustrating an embodiment of a hybrid-statelessprocessing method according to the present invention.

FIG. 9 is a flowchart illustrating an embodiment of a hybrid-statefulprocessing method according to the present invention.

FIG. 10 is a flowchart illustrating an embodiment of a method forchanging from a hybrid-stateful processing method to a hybrid-statelessprocessing in response to a hybrid-stateless condition being satisfiedaccording to the present invention.

FIG. 11 is a flowchart illustrating an embodiment of a method forchanging from a hybrid-stateless processing method to a hybrid-statefulprocessing method in response to a hybrid-stateful condition beingsatisfied according to the present invention.

DETAILED DESCRIPTION OF THE INVENTION

The following description is presented to enable one of ordinary skillin the art to make and use the invention and is provided in the contextof a patent application and its requirements. Various modifications tothe embodiment will be readily apparent to those skilled in the art andthe generic principles herein may be applied to other embodiments. Thus,the present invention is not intended to be limited to the embodimentshown but is to be accorded the widest scope consistent with theprinciples and features described herein.

The present invention can take the form of an entirely hardwareembodiment, an entirely software embodiment or an embodiment containingboth hardware and software elements. In a preferred embodiment, thepresent invention is implemented in software, which includes but is notlimited to firmware, resident software, microcode, etc.

Furthermore, the present invention can take the form of a computerprogram product accessible from a computer-usable or computer-readablemedium providing program code for use by or in connection with acomputer or any instruction execution system. For the purposes of thisdescription, a computer-usable or computer readable medium can be anyapparatus that can contain, store, communicate, propagate, or transportthe program for use by or in connection with the instruction executionsystem, apparatus, or device.

The medium can be an electronic, magnetic, optical, electromagnetic,infrared, or semiconductor system (or apparatus or device) or apropagation medium. Examples of a computer-readable medium include asemiconductor or solid state memory, magnetic tape, a removable computerdiskette, a random access memory (RAM), a read-only memory (ROM), arigid magnetic disk and an optical disk. Current examples of opticaldisks include compact disk-read only memory (CD-ROM), compactdisk-read/write (CD-R/W) and DVD.

A data processing system suitable for storing and/or executing programcode will include at least one processor coupled directly or indirectlyto memory elements through a system bus. The memory elements can includelocal memory employed during actual execution of the program code, bulkstorage, and cache memories which provide temporary storage of at leastsome program code in order to reduce the number of times code must beretrieved from bulk storage during execution.

Input/output or I/O devices (including but not limited to keyboards,displays, point devices, etc.) can be coupled to the system eitherdirectly or through intervening I/O controllers.

Network adapters may also be coupled to the system to enable the dataprocessing system to become coupled to other data processing systems orremote printers or storage devices through intervening private or publicnetworks. Modems, cable modem and Ethernet cards are just a few of thecurrently available types of network adapters.

The flowchart and block diagrams in the Figures illustrate thearchitecture, functionality, and operation of possible implementationsof systems, methods and computer program products according to variousembodiments of the present invention. In this regard, each block in theflowchart or block diagrams may represent a module, segment, or portionof code, which comprises one or more executable instructions forimplementing the specified local function(s). It should also be notedthat, in some alternative implementations, the functions noted in theblock may occur out of the order noted in the figures. For example, twoblocks shown in succession may, in fact, be executed substantiallyconcurrently, or the blocks may sometimes be executed in the reverseorder, depending upon the functionality involved. It will also be notedthat each block of the block diagrams and/or flowchart illustration, andcombinations of blocks in the block diagrams and/or flowchartillustration, can be implemented by special purpose hardware-basedsystems that perform the specified functions or acts, or combinations ofspecial purpose hardware and computer instructions.

The terminology used herein is for the purpose of describing particularembodiments only and is not intended to be limiting of the invention. Asused herein, the singular forms “a”, “an” and “the” are intended toinclude the plural forms as well, unless the context clearly indicatesotherwise. It will be further understood that the terms “comprises”and/or “comprising,” when used in this specification, specify thepresence of stated features, integers, steps, operations, elements,and/or components, but do not preclude the presence or addition of oneor more other features, integers, steps, operations, elements,components, and/or groups thereof. Embodiments of the present inventionprovide a security gateway with the capability of processing packetsusing either a hybrid stateless processing method or a hybrid statefulprocessing method, and with the capability for assessing conditions indetermining whether to switch from using the hybrid stateful processingmethod to the hybrid stateless processing method or vice versa. Beforedescribing the various embodiments of the present invention, thestateful only and stateless only methods are first described withreference to FIGS. 1 through 3.

FIG. 1 illustrates a service gateway 110 for processing a communicationsession 300 between a host 100 and a server 200. A plurality of datapackets are sent between host 100 and server 200 over the communicationsession 300. The service gateway 110 receives a service request 301 datapacket from a host 100 to establish communication session 300. Servicerequest 301 is delivered over a data network 153. Service request 301may be a Web service request such as a HTTP (Hypertext TransportProtocol) request, a secure HTTP request, a FTP (File Transfer Protocol)request, a file transfer request, a SIP (Session Initiation Protocol)session request, a request based on Web technology, a video or audiostreaming request, a Web conferencing session request, or any requestover the Internet, corporate network, data center network, or a networkcloud. Service request 301 may be a request for a mobile applicationdownload, an advertisement delivery request, an e-book delivery request,a collaboration session request, or an on-line newspaper or magazinedelivery request.

Host 100 is a computing device with network access capabilities. Host100 may be a workstation, a desktop personal computer or a laptoppersonal computer. In some embodiments, host 100 is a Personal DataAssistant (PDA), a tablet, a smartphone, or a cellular phone. For otherexamples, host 100 may be a set-top box, an Internet media viewer, anInternet media player, a smart sensor, a smart medical device, a net-topbox, a networked television set, a networked DVR, a networked Blu-rayplayer, or a media center.

Service gateway 110 is a computing device operationally coupled to aprocessor 113 and a computer readable medium 114 for storing computerreadable program code to be executed by the processor 113. Servicegateway 110 may be implemented as a server load balancer, an applicationdelivery controller, a service delivery platform, a traffic manager, asecurity gateway, a component of a firewall system, a component of avirtual private network (VPN), a load balancer for video servers, or agateway to distribute load to one or more servers.

Server 200 is a computing device operationally coupled to a processor213 and a computer readable medium 214 for storing computer readableprogram code to be executed by the processor 213. The computer readableprogram code may implement server 200 as a Web server, a file server, avideo server, a database server, an application server, a voice system,a conferencing server, a media gateway, a SIP server, a remote accessserver, a VPN server, a media center, an app server or a network serverproviding a network or application service to host 100.

Data network 153 may include an Internet Protocol (IP) network. Datanetwork 153 may include a corporate data network or a regional corporatedata network, an Internet service provider network, a residential datanetwork, a wired network such as Ethernet, a wireless network such as aWiFi network, or cellular network. Data network 153 may reside in a datacenter, or connects to a network or application network cloud.

Service request 301 from host 100 includes a service address 331, suchas an IP address. Service address 331 includes an application layeraddress or a transport layer port number, such as transmission controlprotocol (TCP) port number or user datagram protocol (UDP) port number.Service address 331 is associated with service gateway 110 so thatservice gateway 110 processes the service request 301. Service address331 may include a destination IP address of service request 301, andoptionally may include destination transport layer port number ofservice request 301.

Service request 301 may include a TCP session request data packet, or aUDP data packet. Service address 331 is included in the data packet ofservice request 301.

Service gateway 110 determines a server address 321 based on serviceaddress 331 obtained from service request 301. Server address 321 isassociated with server 200 and may include a network address or IPaddress of server 200. Server address 321 may include an applicationlayer address, such as a TCP port number or a UDP port number of server200.

Based on server address 321, service gateway 110 sends a service sessionrequest 306 to server 200. Subsequently service gateway 110 receives aresponse to session request 306 from server 200 and establishes aserver-side service session 305 with server 200. Based on sessionrequest 306 response, service gateway 110 sends a service request 301response to host 100, and establishes a host-side service session 302with host 100 for service request 301.

Communication session 300 includes host-side service session 302 andserver-side service session 305. Service session 302 includes one ormore data packets from host 100 for communication session 300. Servicesession 305 includes one or more data packets from server 200 forcommunication session 300. Service session 302 may include servicerequest 301.

Upon establishment of service session 302 and service session 305,service gateway 110 subsequently processes a data packet 304 of servicesession 302 received from host 100. Data packet 304 includes serviceaddress 331. Service gateway 110 modifies data packet 304 by replacingservice address 331 with server address 321. Service gateway 110 sendsmodified data packet 304 to server 200.

When service gateway 110 receives a data packet 307 of service session305 from server 200, service gateway 110 processes data packet 307. Datapacket 307 of service session 305 may include server address 321.Service gateway 110 modifies data packet 307 by replacing server address321 with service address 331. Service gateway 110 sends modified datapacket 307 to host 100.

There are two common methods in processing service session 302 andservice session 305: a stateful processing method and a statelessprocessing method. FIG. 2 illustrates a stateful processing method. InFIG. 2, service gateway 110 maintains a service session table 412.Session table 412 stores one or more service session entries. Servicegateway 110 creates a session entry 420 for service session 302. Sessionentry 420 stores service address 331 and server address 321 to associateservice address 331 and server address 321. Service gateway 110 maycreate session entry 420 after establishing host-side service session302 and server-side service session 306. Service gateway 110 may createsession entry 420 after receiving service request 301. Service gateway110 stores service address 331 and server address 321 in session entry420 after service gateway 110 determines the addresses. Service gateway110 stores session entry 420 in session table 412.

Service gateway 110 includes a storage 400 and stores session table 412in storage 400. Storage 400 is a memory module residing in servicegateway 110. Service gateway 110 includes a network processing module(not shown) comprising a field programmable gate array (FPGA), a networkprocessor, an application specific integrated circuit (ASIC). Storage400 is associated with the network processing module. Examples ofstorage 400 include a content addressable memory (CAM), a ternarycontent addressable memory (TCAM), a static random accessible memory(SRAM), or a dynamic random accessible memory (DRAM).

Service gateway 110 obtains service address 331 from service request301. Service gateway 110 maintains a service policy 471 and determinesserver address 321 based on service policy 471. Service policy 471 maybe based on a relationship between server 200 and service address 331.Service policy 471 includes service address 331 and server address 321.Service gateway 110 selects service policy 471 based on a match betweenservice address 331 obtained from service request 301 and the serviceaddress in the service policy 471. Service gateway 110 applies servicepolicy 471 to service request 301. Service policy 471 may include asecurity policy 482 where a non-secure service request 301 can be sentto server 200. Service policy 471 may include a traffic policy 483,where service request 301 is served by server 200 when traffic load toserver 200 is low. Service request 301 may be received from apredetermined network interface of service gateway 110 and trafficpolicy 483 indicates that service request 301 from the network interfaceshould be sent to server 200.

Server 240 also serves service request 301. Service policy 471 mayinclude a server load policy 484 indicating that service request 301 isto be sent to server 200 when server load of server 240 is high. In oneexample, service policy 471 includes a server availability policy 485indicating that service request 301 is to be sent to server 200, whereserver 200 is a back-up server to server 240, and server 240 is notavailable. Service policy 471 may include a load balancing policy 486between server 200 and server 240. Service gateway 110 selects server200 using the load balancing policy 486, which may include a round robinor another load balancing scheme. Service policy 471 may include a hostpolicy 487 indicating that service request 301 is to be sent to server200 when host 100 satisfies host policy 487.

After service gateway 110 applies service policy 471 to service request301, service gateway 110 retrieves server address 321 from servicepolicy 471. Service gateway 110 creates session entry 420 with serviceaddress 331 and server address 321, associating service address 331 andserver address 321. Service gateway 110 stores session entry 420 insession table 412.

Service gateway 110 uses session table 412 to process data packet 304received from host 100, and data packet 307 received from server 200.When service gateway 110 receives data packet 304 from host 100, servicegateway 110 obtains service address 331 from data packet 304. Servicegateway 110 compares the obtained service address 331 against serviceaddresses stored in session table 412. When service gateway 110determines there is a match between the obtained service address 331 andsession entry 420 in session table 412, service gateway 110 usesinformation stored in session entry 420 to process data packet 304.Service gateway 110 modifies data packet 304 by replacing serviceaddress 331 with server address 321, where server address 321 isobtained from the matched session entry 420. Service gateway 110 sendsmodified data packet 304 to server 200.

Service request 301 may include a host address 104 associated with host100. Service gateway 110 retrieves host address 104 from service request301. Service gateway 110 may use retrieved host address 104 whenapplying service policy 471. Service gateway 110 stores host address 104in service session entry 420. Data packet 304 may include host address104. Service gateway 110 obtains host address 104 from data packet 304and compares the obtained host address 104 against addresses stored insession table 412 and session entry 420.

When service gateway 110 receives a data packet 307 of server-sideservice session 305 from server 200, service gateway 110 retrievesserver address 321 from data packet 307. Service gateway 110 comparesthe obtained server address 321 against addresses stored in sessiontable 412, and determines there is a match with session entry 420. Inresponse to determining there is a match, service gateway 110 usessession entry 420 to process data packet 307. Service gateway 110modifies data packet 307 by replacing server address 321 with serviceaddress 331, which is retrieved from the matched session entry 420.Service gateway 110 sends modified data packet 307 to host 100.

Data packet 307 may include host address 104. Service gateway 110obtains host address 104 from data packet 307 and uses the obtained hostaddress 104 in comparing against addresses stored in session table 412and session entry 420.

Data packet 304 received from service session 302 may indicate a sessiontermination request. For example, data packet 304 is a TCP FIN packet, aTCP RESET packet. Service gateway 110 inspects data packet 304 contentand determines data packet 304 includes a session termination request.In response, service gateway 110 removes session entry 420 from sessiontable 412. Service gateway 110 may remove session entry 420 afterprocessing data packet 304 or waits for a pre-determined period of timebefore removing session entry 420.

The processing method illustrated in FIG. 2 is often referred as astateful processing method. A stateful processing method allows servicegateway 110 to apply one or more service policies to select server 200.The service policies may include security policies and other policies toprotect server 200. Security policy 482 may cause service request 301 tobe declined if a security concern is detected. Such securityconsideration is known to those skilled in the art and is not describedin this application. Applying traffic policy 483 or server load policy484 can also protect server 200 from overloading. Enforcing the servicepolicies often improves service response time of server 200 to servehost 100.

However, applying service policy 471 to service request 301 requirescomputation resource of service gateway 110, such as CPU cycles. Suchcomputation requirement may post a limitation on the ability of servicegateway 110 to provide services when service gateway 110 receives andprocesses a large number of service requests over a short period oftime.

For example, session table 412 has a certain capacity limit, such as 4GB, 2000 entries, up to 10000 entries or 200 MB. The greater the numberof service sessions serviced by service gateway 110 using a statefulprocessing method, the greater the number of session entries stored insession table 412. The capacity of session table 412 may become a severelimitation to the servicing capabilities of service gateway 110.

FIG. 3 illustrates a stateless processing method. In this method,service gateway 110 does not use session table 412. Instead, servicegateway 110 maintains and uses a service mapping table 452. Servicemapping table 452 is stored in storage 400. Service mapping table 452includes a service mapping entry 460. Mapping entry 460 may includeservice address 331 and server address 321, associating service address331 and server address 321. According to the service mapping entry 460,server 200 with server address 321 serves host 100 for service address331.

When service gateway 110 receives a data packet 304 from host 100,service gateway 110 obtains service address 331 from data packet 304,and compares service address 331 with service addresses stored inservice mapping table 452. When service gateway 110 determines there isa match with mapping entry 460, service gateway 110 retrieves serveraddress 321 from mapping entry 460. Service gateway 110 modifies datapacket 304 by replacing service address 331 with server address 321.Service gateway 110 sends modified data packet 304 to server 200.

When service gateway 110 receives a data packet 307 from server 200,service gateway 110 processes data packet 307 using service mappingtable 452. Service gateway 110 obtains server address 321 from datapacket 307. Service gateway 110 compares server address 321 againstserver addresses stored in service mapping table 452. When servicegateway 110 determines there is a match with mapping entry 460, servicegateway 110 retrieves service address 331 from mapping entry 460, andmodifies data packet 307 by replacing server address 321 with serviceaddress 331. Subsequently service gateway 110 sends modified data packet307 to host 100.

Service gateway 110 may match service address 331 or server address 321against service mapping table 452 using a hash method. Service mappingtable 452 includes a hash table using a hash function (HashFunc) 571.Mapping entry 460 is associated with a hash value (HashValue 581).

HashValue 581 includes the result of applying HashFunc 571 to serviceaddress 331. HashValue 581 may include the result of applying HashFunc571 to server address 321.

HashValue 581 may include an index of mapping entry 460 in servicemapping table 452. Mapping entry 460 occupies an entry in servicemapping table 452 indexed by HashValue 581. For example, service mappingtable 452 contains 1000 entries where the indices are 1-1000, andmapping entry 460 has an index of 894. In another example, servicemapping table 452 contains 16 entries and mapping entry 460 has an indexof 7.

Service gateway 110 applies HashFunc 571 to service address 331 of datapacket 304 to obtain HashValue 581. Assume that service gateway 110searches service mapping table 452 for an entry with index HashValue 581and finds mapping entry 460. For data packet 307, service gateway 110applies HashFunc 571 to server address 321 of data packet 307 to obtainHashValue 581. Service gateway 110 searches service mapping table 452for an entry with index HashValue 581 and finds mapping entry 460.

Mapping entry 460 may include HashValue 581. After service gateway 110applies hash function HashFunc 571 to obtain HashValue 581, servicegateway 110 searches service mapping table 452 and finds mapping entry460 containing an index matching HashValue 581.

Examples of hash functions HashFunc 571 include CRC checksum functionsand other checksum functions; hash functions using a combination ofbit-wise operators such as bit-wise AND operator, bit-wise OR operator,bit-wise NAND operator and bit-wise XOR operator; MD5 hash functions andother cryptography hash functions; Jenkins hash function and othernon-cryptography hash functions; hardware based hash functionsimplemented in FPGA, ASIC or an integrated circuit board of servicegateway 110; and other types of hash functions or table lookupfunctions. Typically such hash functions are simple and can becalculated rapidly by service gateway 110.

Data packet 304 includes host address 104 associated with host 100.Service gateway 110 obtains host address 104 from data packet 304 anduses the obtained host address 104 in the processing of data packet 304.

Data packet 307 includes host address 104. Service gateway obtains hostaddress 104 from data packet 307 and uses the obtained host address 104in the processing of data packet 307.

Typically, mapping entry 460 is configured by a service provider or anadministrator of a service provider. Mapping entry 460 may be configuredwhen server 200 becomes available, or when server address 321 or serviceaddress 331 becomes available. Server address 321 or service address 331may be configured by the service provider to become available.

In this stateless processing method, service mapping table 452 is notrelated to the number of service sessions processed by service gateway110. The capacity of service mapping table 452 is related to the numberof available service addresses and server addresses. Such capacity isusually small. Service mapping tables 452 may have a few tens of entriesor a few thousand entries.

The advantages of a stateless processing method include small resourcerequirement for service mapping table 452, a minimal or no computationalrequirement to handle service request 301, or no requirements to applyservice policy 471. A stateless processing method is usually preferredover a stateful processing method when service gateway 110 receives alarge number of service session requests in a short period of time, orunder a heavy load of service requests. A stateless method is alsopreferred when the memory capacity of session table for new sessions isrunning low, say below 10% of the session table 412. A stateless methodprotects service gateway 110 from resource overload and thereforemaintains service quality towards host 100 under stressful situations.

However, a stateless processing method may be less desirable than astateful processing method due to security concerns, since servicegateway 110 does not apply security policy 482. Similarly servicegateway 110 does not apply any other policy in service policy 471,affecting security of server 200, security of data network 153, trafficcondition of data network 153, and service quality rendered to host 100.A stateful processing method is also preferred over the statelessprocessing method when service gateway 110 may select server address 321from a plurality of server addresses. For example, a service providermay configure a plurality of servers to serve service address 331 in aload balancing manner. A service provider may configure a backup serverfor service address 331.

In a typical deployment scenario, a service provider may use a statefulprocessing method for a first service address while using a statelessprocessing method for a different second service address. The serviceprovider does not expect the first service to have significant trafficor usage. The service provider may not expect the second service to be asecurity concern. In reality, the first service may see a sudden surgeof traffic due to an unforeseen situation, whereas the second servicemay suffer a security attack. Using a hybrid processing method accordingto the present invention, as described below, a service provider maycombine a stateful processing method for the first service when the loadis light and change to a stateless processing method when the loadbecomes heavy; and may deploy a hybrid processing method to combine astateless processing method for the second service during normalcircumstances and switch immediately to a stateful processing methodwhen a security alert is detected for the second service.

The various embodiment of the present invention are now described withreference to FIGS. 4 through 11.

FIG. 4 illustrates an embodiment of a service gateway 110 performing ahybrid-stateless processing method combining a stateful processingmethod and a stateless process method according to the presentinvention. FIG. 8 is a flowchart illustrating an embodiment of ahybrid-stateless processing method according to the present invention.In this embodiment, the computer readable medium 114 of the servicegateway 110 stores computer readable program code, which when executedby processor 113, implements the various embodiment of the presentinvention. Service gateway 110 maintains session table 412 and servicemapping table 452 in storage 400. In this embodiment of ahybrid-stateless processing method, service gateway 110 processes areceived data packet 304 with a stateless method using service mappingtable 452 when the service address of the received data packet 304 doesnot match any service addresses stored in session table 412.

Service gateway 110 connects to server 200 and server 240. Server 200 isassociated with server address 321. Server 240 is associated with serveraddress 324. Service gateway 110 is associated with service address 331and service address 334.

In some embodiments, session table 412 includes a session entry 420which stores service address 331 and server address 321, associatingservice address 331 and server address 321. Service mapping table 452includes a mapping entry 462 which stores service address 334 and serveraddress 324, associating service addresses 334 and 324.

In various embodiments, server 200 may be the same as server 240. Serveraddress 321 may be the same as server address 324. Service address 331may be the same as service address 334.

Referring to both FIGS. 4 and 8, service gateway 110 receives a datapacket 304 from host 100 (801). Service gateway 110 obtains serviceaddress 336 from data packet 304 (802). Service gateway 110 comparesservice address 336 of data packet 304 against service addresses storedin session table 412 (803).

In some embodiments, service gateway 110 finds a match in session entry420, where service address 336 matches service address 331 of sessionentry 420 (804). In response to finding the match, service gateway 110processes data packet 304 based on information stored in session entry420 using a stateful processing method (805), such as the one describedabove with reference to FIG. 2.

When service gateway 110 does not find a match in session table 412(804), service gateway 110 compares service address 336 of data packet304 against service addresses in service mapping table 452 (806). Ifservice gateway 110 finds a match in mapping entry 462 of servicemapping table 452, wherein service address 336 matches service address324 of mapping entry 462 (807), service gateway 110 processes datapacket 304 based on information stored in mapping entry 462 using astateless processing method (808), such as the one described above withreference to FIG. 3.

In various embodiments, service gateway 110 receives a data packet 307from server 200 (830). Service gateway 110 extracts server address 321from data packet 307 (831) and compares server address 321 of datapacket 307 against server addresses stored in session table 412 (832).When service gateway 110 finds a match in session entry 420, with serveraddress 321 of data packet 307 matching server address 321 of sessionentry 420 (803), service gateway 110 processes data packet 308 using thestateful processing method (805), as described above with reference toFIG. 2.

In some embodiments, service gateway 110 receives a data packet 308 fromserver 240 (830). Service gateway 110 extracts server address 324 fromdata packet 308 (832) and compares server address 324 of data packet 308against server addresses stored in session table 412 (832). When servicegateway 110 does not find a match (833), service gateway 110 comparesserver address 324 of data packet 308 against server addresses stored inservice mapping table 452 (834) and finds a match in mapping entry 462,where server address 324 of data packet 308 matches server address 324of mapping entry 462 (807). In response, service gateway 110 modifiesdata packet 308 based on information stored in mapping entry 462 using astateless processing method (808). Service gateway 110 sends modifieddata packet 308.

FIG. 5 illustrates an embodiment of a service gateway 110 performing ahybrid-stateful processing method combining a stateful processing methodand a stateless processing method according to the present invention.FIG. 9 is a flowchart illustrating an embodiment of the hybrid-statefulprocessing method according to the present invention. Referring to bothFIGS. 5 and 9, service gateway 110 receives a data packet 304 from host100 (901). In some embodiments, service gateway 110 determines that datapacket 304 includes a service request 301 from host 100 (902). Inresponse, service gateway 110 applies a stateful processing method toservice request 301 (903). Service gateway 110 performs the statefulprocessing method, including applying service policy 471 to servicerequest 301, creating session entry 420 using service address 331 ofservice request 301 and server address 321 of service policy 471, asdescribed above with reference to FIG. 2.

In various embodiments, service gateway 110 determines data packet 304does not include a service request (902). In response, service gateway110 processes data packet 304 using the hybrid-stateless processingmethod, as described above with reference to FIG. 4.

In other embodiments, service gateway 110 receives a data packet 307from server 200 (901). In this embodiment of a hybrid-statefulprocessing method, service gateway 110 applies a hybrid-statelessprocessing method to data packet 307 (904), as described above withreference to FIG. 4.

FIGS. 6 and 10 illustrate an embodiment of a service gateway and amethod, respectfully, for changing from a hybrid-stateful processingmethod to a hybrid-stateless processing method in response to ahybrid-stateless condition being satisfied according to the presentinvention. Referring to both FIGS. 6 and 10, service gateway 110 isusing a hybrid-stateful processing method (1001). Service gateway 110maintains a hybrid-stateless condition 810. Service gateway 110 checksif hybrid-stateless condition 810 is satisfied (1002). In response todetermining that the hybrid-stateless condition 810 is satisfied (1003),service gateway 110 changes to a hybrid-stateless processing method(1004). The service gateway 110 processes the next data packet receivedusing the hybrid-stateless processing method, as described above withreference to FIGS. 4 and 8. In response to determining that thehybrid-stateless condition 810 is not satisfied (1003), the servicegateway 110 continues using the hybrid-stateful processing method(1005), as described above with reference to FIGS. 5 and 9.

In some embodiments, hybrid-stateless condition 810 includes a sessionrate 811. For example, session rate 811 is 10 thousand sessions persecond, 5 thousand active sessions per second, or one hundred sessionsper 10 milliseconds.

In various embodiments, service gateway 110 calculates a session rate821. Session rate 821 can be calculated based on a count of activehost-side service sessions over a period of time. When the servicesession is associated with a session entry in session table 412, aservice session is active. In various embodiments, session rate 821calculates a difference between a count of received service requests anda count of received service termination requests over a period of time.In other embodiments, session rate 821 calculates a count of servicerequests received over a period of time.

In some embodiments, service gateway 110 calculates a session rate 821in a predetermined period of time, such as every second, once every 250milliseconds, once every 3 seconds or once every 10 seconds. In otherembodiments, service gateway 110 calculates session rate 821 at variabletimes. For example, service gateway 110 calculates session rate 821 whena data packet from a host is received; when a service request isreceived; when a service termination request is received; or when a datapacket is received from server 200. Service gateway 110 compares sessionrate 821 with session rate 811 of hybrid-stateless condition 810. Ifsession rate 821 exceeds or is equal to session rate 811, servicegateway 110 determines that hybrid-stateless condition 810 is met andsatisfied.

In various embodiments, hybrid-stateless condition 810 includes asession table utilization 814. A session table utilization is aparameter setting forth a percentage of the session table capacity thatis storing session entries. Hybrid-stateless condition 810 is satisfiedif a count of stored session entries of session table 412 exceedssession table utilization 814. For example, session table utilization814 is 90%, 85% or 95%. Service gateway 110 calculates a session tableutilization 824 from time to time by calculating a count of storedsession entries of session table 412. In some embodiments, servicegateway 110 calculates session table utilization 824 periodically, suchas every second, once every 20 milliseconds, once every 500milliseconds, or once every 2 seconds. In other embodiments, servicegateway 110 calculates session table utilization 824 when servicegateway 110 processes a service request, a service termination request,or a data packet.

Service gateway 110 compares session table utilization 824 with sessiontable utilization 814 of hybrid-stateless condition 810. When sessiontable utilization 824 exceeds or is equal to session table utilization814, service gateway 110 determines that hybrid-stateless condition 810is met and satisfied.

In some embodiments, hybrid-stateless condition 810 further includes atime duration 816, where hybrid-stateless condition 810 must beconsidered met for at least a time duration 816 in order for thehybrid-stateless condition 810 to be satisfied. Examples of timeduration 816 include 120 seconds, 30 seconds, and 5 seconds. Servicegateway 110 checks from time to time whether the hybrid-statelesscondition 810 is met, as described earlier. In various embodiments,service gateway 110 further includes a time duration 826 stored inmemory. Initially, service gateway 110 assigns a value of 0 to the timeduration 826. From time to time, service gateway 110 checks ifhybrid-stateless condition 810 is met. If hybrid-stateless condition 810is met, service gateway 110 increases the time duration 826 by an amountof time elapsed since the last time the hybrid-stateless condition 810was checked. After the time duration 826 is modified, service gateway110 checks if the time duration 826 exceeds time duration 816. If timeduration 826 exceeds time duration 816, service gateway 110 determinesthat hybrid-stateless condition 810 is satisfied. Service gateway 110subsequently changes to employ a hybrid-stateless method withsubsequently received data packets.

If service gateway 110 determines hybrid-stateless condition 810 is notmet, service gateway 110 modifies the time duration 826 to a value of 0.

In some embodiments, service gateway 110 receives hybrid-statelesscondition 810 from an operator or an administrator 130. Administrator130 can be a human operator provisioning hybrid-stateless condition 810onto service gateway 110. Administrator 130 can be a network managementsystem sending hybrid-stateless condition 810 to service gateway 110.Administrator 130 may include a storage medium storing hybrid-statelesscondition 810. Service gateway 110 retrieves hybrid-stateless condition810 from the storage of administrator 130.

FIGS. 7 and 11 illustrate an embodiment of a service gateway and amethod, respectfully, for changing from a hybrid-stateless processingmethod to a hybrid-stateful processing method in response to ahybrid-stateful condition being satisfied according to the presentinvention. Referring to both FIGS. 7 and 11, service gateway 110 employsa hybrid-stateless processing method (1101) Service gateway 110maintains a hybrid-stateful condition 910. Service gateway 110 checks ifhybrid-stateful condition 910 is satisfied (1102). In response todetermining that the hybrid-stateful condition 910 is satisfied (1103),service gateway 110 changes to a hybrid-stateful processing method(1104) and processes the next data packet using the hybrid-statefulprocessing method, described above with reference to FIGS. 5 and 9. Inresponse to determining that the hybrid-stateful condition 910 is notsatisfied (1103), service gateway 110 continues using thehybrid-stateless processing method (1105) and processes the next datapacket using the hybrid-stateless processing method, as described abovewith reference to FIGS. 4 and 8.

In some embodiments, hybrid-stateful condition 910 includes a sessionrate 911. For example, session rate 911 is 1 thousand sessions persecond, 500 active sessions per second, or ten sessions per 10milliseconds.

Service gateway 110 can calculate a session rate 921. In someembodiments, session rate 921 calculates a difference between a count ofreceived service requests and a count of received service terminationrequests over a period of time. Session rate 921 may also calculate acount of service requests received over a period of time. In variousembodiments, service gateway 110 determines if a data packet receivedfrom a host includes a service request before applying ahybrid-stateless processing method to the received data packet. Servicegateway 110 may also determine if a data packet received from a host ora server includes a service termination request before applying ahybrid-stateless processing method to the received data packet.

In some embodiments, service gateway 110 calculates session rate 921 ina predetermined period of time, such as every second, once every 100milliseconds, once every 3 seconds, or once every 5 seconds. Servicegateway 110 may also calculate session rate 921 at variable times. Forexample, service gateway 110 calculates session rate 921 when a datapacket from a host is received; when a service request is received; whena service termination request is received; or when a data packet isreceived from a server. Service gateway 110 compares session rate 921with session rate 911. If session rate 921 is below or smaller thansession rate 911, service gateway 110 determines that hybrid-statefulcondition 910 is met and satisfied.

In various embodiments, hybrid-stateful condition 910 includes a sessiontable utilization 914. Hybrid-stateful condition 910 is satisfied if acount of stored session entries of session table 412 does not exceedsession table utilization 914. For example, session table utilization914 is 60%, 75% or 45%. Service gateway 110 calculates session tableutilization 924 from time to time by calculating a count of storedsession entries of session table 412. In some embodiments, servicegateway 110 calculates session table utilization 924 periodically, suchas every second, once every 20 milliseconds, once every 500milliseconds, or once every 2 seconds. Service gateway 110 may alsocalculate session table utilization 924 when service gateway 110processes a service request, a service termination request, or a datapacket.

Service gateway 110 compares session table utilization 924 with sessiontable utilization 914 of hybrid-stateful condition 910. If session tableutilization 924 is smaller than session table utilization 914, servicegateway 110 determines that hybrid-stateful condition 910 is met andsatisfied.

Hybrid-stateful condition 910 may further include a time duration 916,where hybrid-stateful condition 910 must be considered met for at leasta time duration 916 in order for the hybrid-stateful condition 910 issatisfied. Examples of time duration 916 include 100 seconds, 40seconds, and 5 seconds. Service gateway 110 checks from time to time ifthe hybrid-stateful condition 910 is met as described earlier. In someembodiments, service gateway 110 further includes a time duration 926stored in memory. Initially, service gateway 110 assigns a value of 0 tothe time duration 926. From time to time, service gateway 110 determinesif hybrid-stateful condition 910 is met. If hybrid-stateful condition910 is met, service gateway 110 increases the time duration 926 by anamount of time elapsed since the last time the hybrid-stateful condition910 was checked. In various embodiments, after the time duration 926 ismodified, service gateway 110 checks if the time duration 926 exceedstime duration 916. If time duration 926 exceeds time duration 916,service gateway 110 determines hybrid-stateful condition 910 issatisfied. Service gateway 110 subsequently changes to employ ahybrid-stateful method with subsequently received data packets.

In some embodiments, service gateway 110 receives hybrid-statefulcondition 910 from an operator or an administrator 130. Administrator130 can be a human operator provisioning hybrid-stateful condition 910onto service gateway 110. Administrator 130 can be a network managementsystem sending hybrid-stateful condition 910 to service gateway 110.Administrator 130 can include a storage medium storing hybrid-statefulcondition 910. Service gateway 110 retrieves hybrid-stateful condition910 from the storage of administrator 130.

Returning to FIG. 8, FIG. 8 shows that when the service gateway 110 isprocessing data packets using the stateful processing method (805), theservice gateway 110 would check whether the hybrid-stateless condition801 is met (see FIG. 10). FIG. 8 also shows that when the servicegateway 110 is processing data packets using the stateless processingmethod (808), the service gateway 110 would check whether thehybrid-stateful condition 910 is met (see FIG. 11). However, thereferences (C and D) to FIGS. 10 and 11 are not intended to convey anyorder of steps. The checking of the conditions 810 or 910 may occurconcurrently with the processing of data packets, as described abovewith reference to FIGS. 4 and 8.

Returning to FIG. 9, FIG. 9 shows that when the service gateway 110 isprocessing data packets using the stateful processing method (903), theservice gateway 110 would check whether the hybrid-stateless condition810 is met (see FIG. 10). FIG. 9 also shows that when the servicegateway 110 is processing data packets using the hybrid-statelessprocessing method (904), the service gateway 110 would either check ifthe hybrid-stateless condition 810 or the hybrid-stateful condition 910is met (see FIGS. 10 and 11), depending on the processing during thehybrid states processing method per FIGS. 4 and 8. However, thereference to FIGS. 10 (C) and 11 (D) are not intended to convey anyorder of steps. The checking of the conditions 810 or 910 may occurconcurrently with the processing of data packets as illustrated in FIGS.5 and 9.

Although the present invention has been described in accordance with theembodiments shown, one of ordinary skill in the art will readilyrecognize that there could be variations to the embodiments and thosevariations would be within the spirit and scope of the presentinvention. Accordingly, many modifications may be made by one ofordinary skill in the art without departing from the spirit and scope ofthe appended claims.

What is claimed is:
 1. A method for processing data packets sent over acommunication session between a host and a server by a service gateway,comprising: processing a data packet using a hybrid-stateful processingmethod by the service gateway, the hybrid-stateful processing methodutilizing a service session table; checking by the service gatewaywhether a hybrid-stateless condition is satisfied; in response todetermining that the hybrid-stateless condition is satisfied, changingto a hybrid-stateless processing method for a subsequently received datapacket by the service gateway, the hybrid-stateless processing methodutilizing a service mapping table; and in response to determining thatthe hybrid-stateless condition is not satisfied, processing thesubsequently received data packet using the hybrid-stateful processingmethod by the service gateway.
 2. The method of claim 1, wherein thechecking by the service gateway whether the hybrid-stateless conditionis satisfied comprises: comparing a time duration stored in memoryagainst a predetermined time duration by the service gateway;determining whether the time duration stored in memory exceeds thepredetermined time duration; in response to determining that the timeduration stored in memory exceeds the predetermined time duration,determining by the service gateway that the hybrid-stateless conditionis satisfied; and in response to determining that the time durationstored in memory does not exceed the predetermined time duration,determining by the service gateway that the hybrid-stateless conditionis not satisfied.
 3. The method of claim 1, wherein the checking by theservice gateway whether a hybrid-stateless condition is satisfiedcomprises receiving from an administrator the hybrid-stateless conditionby the service gateway.
 4. The method of claim 3, wherein theadministrator comprises: a human operator; a network management system;or a storage medium storing the hybrid-stateless condition.
 5. A system,comprising: a service gateway comprising a processor and a computerreadable storage medium having computer readable program code embodiedtherewith, the computer readable program code configured to: process adata packet using a hybrid-stateful processing method, thehybrid-stateful processing method utilizing a service session table atthe service gateway; check whether a hybrid-stateless condition issatisfied; in response to determining that the hybrid-statelesscondition is satisfied, change to a hybrid-stateless processing methodfor a subsequently received data packet, the hybrid-stateless processingmethod utilizing a service mapping table at the service gateway; and inresponse to determining that the hybrid-stateless condition is notsatisfied, process the subsequently received data packet using thehybrid-stateful processing method.
 6. The system of claim 5, wherein thecheck whether a hybrid-stateless condition is satisfied comprises:compare a time duration stored in memory against a predetermined timeduration by the service gateway; determine whether the time durationstored in memory exceeds the predetermined time duration; in response todetermining that the time duration stored in memory exceeds thepredetermined time duration, determine by the service gateway that thehybrid-stateless condition is satisfied; and in response to determiningthat the time duration stored in memory does not exceed thepredetermined time duration, determine by the service gateway that thehybrid-stateless condition is not satisfied.
 7. The system of claim 5,wherein the check whether a hybrid-stateless condition is satisfiedcomprises receiving from an administrator the hybrid-stateless conditionby the service gateway.
 8. The system of claim 7, wherein theadministrator comprises: a human operator; a network management system;or a storage medium storing the hybrid-stateless condition.
 9. A methodfor processing data packets sent over a communication session between ahost and a server by a service gateway, comprising: processing a datapacket using a hybrid-stateless processing method by the servicegateway, the hybrid-stateless processing method utilizing a servicemapping table; checking by the service gateway whether a hybrid-statefulcondition is satisfied; in response to determining that thehybrid-stateful condition is satisfied, changing to a hybrid-statefulprocessing method for a subsequently received data packet by the servicegateway, the hybrid-stateful processing method utilizing a servicesession table; and in response to determining that the hybrid-statefulcondition is not satisfied, processing the subsequently received datapacket using the hybrid-stateless processing method by the servicegateway.
 10. The method of claim 9, wherein the hybrid-statefulcondition comprises a predetermined session rate, wherein the checkingby the service gateway whether the hybrid-stateful condition issatisfied comprises: calculating a session rate for a plurality ofcommunication sessions received by the service gateway; determiningwhether the calculated session rate is less than the predeterminedsession rate by the service gateway; in response to determining that thecalculated session rate is less than the predetermined session rate,determining by the service gateway that the hybrid-stateful condition issatisfied; and in response to determining that the calculated sessionrate is greater than or equals the predetermined session rate,determining by the service gateway that the hybrid-stateful condition isnot satisfied.
 11. The method of claim 10, wherein the calculatedsession rate comprises: a difference between a count of received servicerequests and a count of received service termination requests over apredetermined period of time or a count of service requests over thepredetermined period of time.
 12. The method of claim 9, wherein thehybrid-stateful condition comprises a predetermined session tableutilization, wherein the checking by the service gateway whether ahybrid-stateful condition is satisfied comprises: counting a number ofstored session entries in the session table by the service gateway;determining whether the number of stored session entries does not exceedthe predetermined session table utilization by the service gateway; inresponse to determining that the number of stored session entries doesnot exceed the predetermined session table utilization, determining bythe service gateway that the hybrid-stateful condition is satisfied; andin response to determining that the number of stored session entriesexceeds the predetermined session table utilization, determining by theservice gateway that the hybrid-stateful condition is not satisfied. 13.The method of claim 9, wherein the checking by the service gatewaywhether the hybrid-stateful condition is satisfied comprises: comparinga time duration stored in memory against a predetermined time durationby the service gateway; determining whether the time duration stored inmemory exceeds the predetermined time duration; in response todetermining that the time duration stored in memory exceeds thepredetermined time duration, determining by the service gateway that thehybrid-stateful condition is satisfied; and in response to determiningthat the time duration stored in memory does not exceed thepredetermined time duration, determining by the service gateway that thehybrid-stateful condition is not satisfied.
 14. The method of claim 13,wherein the checking by the service gateway whether a hybrid-statefulcondition is satisfied comprises receiving from an administrator thehybrid-stateful condition by the service gateway.
 15. The method ofclaim 14, wherein the administrator comprises: a human operator; anetwork management system; or a storage medium storing thehybrid-stateful condition.